This article is designed to help you evaluate whether the Zoom Mail Service is a good fit for your organization. This service is designed for small and mid-sized businesses. 

Zoom Mail Service is a Zoom-hosted email provider with optional end-to-end encryption for emails sent directly between active users on the Zoom Mail Service system. End-to-end encryption for those emails depends on factors such as user or account level settings, whether the sender and receiver have already generated encryption keys, and whether the sender and receiver are running the latest client version. The user interface will indicate when the email a user is about to send will be end-to-end encrypted.

Zoom Mail Service is designed to prioritize privacy between mail senders and recipients. This means information contained within end-to-end encrypted messages is private, and this information is not accessible to Zoom.

As such, some third-party security tools that businesses are accustomed to using on other email platforms are not compatible with Zoom Mail Service.

This article covers:

• Limitations for Zoom Mail Service encryption
  • User limitations
  • Admin limitations
• How encryption is used with Zoom Mail Service
  • E2E Encrypted
  • Server Encrypted
• How to use custom domains on the Zoom Mail Service
• How to enable or disable end-to-end encryption (E2EE)

Prerequisites for Zoom Mail Service encryption

• Account owner or admin privileges
• Zoom One Pro or Standard Pro account in the US or Canada

Limitations for Zoom Mail Service encryption

User limitations

• Users can only access Zoom Mail Service and Zoom Calendar Service through the Zoom desktop client. This requires version 5.12.7 or higher.
• Zoom Calendar Service content is not covered by end-to-end encryption.
• Zoom Mail Service cannot be accessed through the web browser or integrated with third-party mail clients, such as Outlook, Thunderbird, or others.
• There is no ability to preview inline attachments.
• Searching is performed on the user’s local device. Global searching and indexing of messages are not performed (e.g. keywords, associated files, phrase matching, etc.) because the contents are private.
• At this time, emails sent to an email list are not end-to-end encrypted, even if all email list recipients are Zoom Mail Service users.
• Integrations to third-party email services via the Zoom Mail Client are separate offerings; messages sent to or from users of these integrations are not end-to-end encrypted.
• Zoom Mail Service includes spam detection and filtering capability, but because Zoom has no access to the contents of end-to-end encrypted messages, we can only use signals visible to Zoom, such as message metadata, to flag messages as spam. Users should exercise caution when they receive messages tagged as end-to-end encrypted from unknown senders.

Admin limitations

• Zoom Mail Service cannot integrate with any third-party Data Loss Prevention (DLP) software. The end-to-end encryption used for emails between Zoom Mail Service users does not provide the ability to inspect or “peek” at messages to check for sensitive information while participants exchange mail.
• Zoom Mail Service cannot integrate with eDiscovery platforms. These tools require inspection and retrieval of mail contents, data, and associated attributes for evidence preservation.
• This also includes using Zoom Mail Service with other Zoom products and other 3rd-party integrations that leverage email in their workflow. This includes:
  • Zoom IQ: Email integration for deal analytics
  • Contact Center Solutions: Using Zoom Mail Service with encrypted mail as a customer channel queue.
  • Email archiving solutions: Such as Mimecast, Proofpoint, etc., for offloading mail to be retrieved for future use
  • Service Desk, ITSM, CRM Integrations: Using Zoom Mail Service to share emails to opportunities, tickets, and archive information as part of their databases.
• By default, email cannot be accessed by account admins, as only sending and receiving devices store the encryption key needed to decrypt the emails. However, customers who choose a custom domain will also have the option to set up key escrow on their account, which allows a designated escrow admin in an account to receive backup copies of cryptographic keys from all users in that account. Holding copies of these keys will let the escrow admin access all emails in the account, and can allow the admin to help users recover their messages after device loss or other IT failure.

How encryption is used with Zoom Mail Service

The footer of every email handled by the Zoom Mail Service denotes which type of encryption was used when sending or receiving the email: E2E Encrypted or Server Encrypted.

Note: Integrations with third-party email services through the Zoom Mail Client are separate offerings, and messages sent between users of these integrations are not end-to-end encrypted.

E2E Encrypted

Zoom Mail Service includes the option for emails sent and received directly between active Zoom Mail Service users to be end-to-end encrypted, depending on a variety of factors. The user interface indicates when the email a user is about to send will be end-to-end encrypted. When an email is end-to-end encrypted, only the users, and, depending on their settings, account owners, or designated account administrators control the encryption key and therefore access to the email content, including body text, subject line, attachments and custom labels applied to messages by users in their inboxes. Information such as the sender and recipients, mimeID, attachment number and size, and timestamps remain in plaintext so Zoom email servers can properly transmit the emails.

To use end-to-end encryption in Zoom Mail Service, users and their recipient(s) must all use email addresses assigned through Zoom Mail Service and be active users with a device associated with each email address. At this time, emails sent to an email list are not end-to-end encrypted, even if all recipients are Zoom Mail Service users. 

Recipients of emails sent through Zoom Mail Service can see, save, and share email content with others, including by sharing emails to Zoom Team Chat. If a recipient shares encrypted content with others, for example, by sharing an encrypted email to Team Chat or forwarding an encrypted email to a third-party recipient without a Zoom Mail Service account, the shared or forwarded content will not be end-to-end encrypted by Zoom. Additionally, designated admins in an account that has opted to use the key escrow feature will have access to all emails in that account, even though those emails will remain encrypted and inaccessible to anyone without the required keys, including Zoom. When the email a user is about to send will be end-to-end encrypted, the user interface will indicate this.

Server Encrypted

Emails between Zoom Mail Service users and those using other email services are encrypted when stored by Zoom. Zoom Mail Service encrypts incoming emails from third-party email services as soon as possible upon receipt and does not retain unencrypted copies of outgoing emails to such services after they are successfully sent.

How to use custom domains on the Zoom Mail Service

All customers will default to the Zoom-provided “zmail.com“ domain, but the use of other domains is possible.

Account owners and admins can view and manage the mail domains they own from the Zoom web portal. They can add or edit a domain, view all their domains in a list, and view details for a specific domain. Additionally, account owners and admins can select a domain they want to enable for the Zoom Mail and Calendar service.

Accounts managing one or more associated domains can use those domains to create corresponding email domains for use with the Zoom Mail Service. Admins can control mailing group creation, mailbox size quotas, calendar access control, and mail auto-deletion and retention.

Learn more about configuring domain management for Zoom Mail.

How to enable or disable end-to-end encryption (E2EE)

Account admin owners or admins can choose whether end-to-end encryption (E2EE) is enabled or disabled for their Zoom Mail domain when they add a domain. If the account admin disables E2EE, escrow and encryption are turned off for all users in their account. When a user enables a domain for Zoom Mail, they can turn E2EE on or off the first time.

When E2EE is disabled in Zoom Mail:

• There will be no escrow admin/backup key generation for signing in/out.

• There will be no encryption for private or shared email templates.

• There will be no password-protected email for external recipients.

• The message and email thread will not be encrypted.
• There will be no email signature encryption.
• There will be no fingerprint checks and no encryptions for created/updated/sent email drafts.
• The created/updated labels will not be encrypted.

• The E2EE email badge will be removed.

Learn more about domain management settings and managing devices with encryption access and backup encryption keys.